Am 21.10.2011 um 04:02 schrieb Morgan Reed: > Hi all, > > I'm currently attempting to setup, I suppose you'd call it a > multi-VPN-tunnel gateway. Basically I have several OpenVPN Servers in > different locations, I want to have various tunnels up to them and be > able to choose an exit by way of pointing my browser at a particular > instance of Squid running in a particular jail which routes via a > particular tunnel (HTTP/S traffic is the primary concern at this > point, though I might want to extend the concept to all traffic in > future).
I have a similar setup, but the OpenVPN endpoints are on OpenWrt, with tinyproxy running there. I have a central squid that knows which tiny proxy to use for which URL pattern, and that works quite well. > First issue I ran into was routing tables, that was resolved by > recompiling my kernel with option ROUTETABLES=10 and pointing each of > my jails to their own FIB, however as it's not possible to configure > route tables from inside the jail (as far as I'm aware anyway) I need > to bring the OpenVPN tunnel up from the host and utilise a route-up > script to configure the routing table for the jail (utilising setfib), > I run into problems though, as even though the tun device is visible > in the jail it does not appear to be configured (no IP addersses, etc) > so the jail is unable to route traffic. > > All the stuff I've been able to find online has been geared to static > addresses on each end of the tunnel, this is not the case with my VPN > provider, tunnel addresses are dynamically assigned. > > I think that worst case I can probably use pf on the host to route > traffic from a given jail via a particular interface or possibly > cobble something up around VIMAGE, but I think I'd rather not have to > go down those paths. > > I'm not sure if what I'm looking for is actually possible, any > suggestions would be much appreciated. I was trying to enable a set of processes to use a separate DSL interface, with the FreeBSD box terminating the PPPoE connection. I've tried a couple of things: - I couldn't come up with pf rules that would allow certain processes (i. e. those in a specific jail, or running under a specific user id) to have seperate forwarding applied to them. I believe IPFW might be better suited, but I haven't tried. - VIMAGE and mpd don't like each other, so VIMAGE was out as well - VBox with the interface bridged to the DSL interface works fine, but has a lot of overhead. My OpenVPN hub server is running inside a jail, but the tun interface is preconfigured from outside; the config substitutes /bin/true for ifconfig and route. HTH, and please report back on any success, I'm definitely interested! Stefan -- Stefan Bethke <s...@lassitu.de> Fon +49 151 14070811 _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
